PDF malware analysis — malicious · 2336e1bdc8b553b3

MALICIOUS

PDF

76.1 KB Authoring application: PyPDF2

MD5: fee2e5632f819d5d184e238562f16989 SHA-1: bdf4ace409a4020f6af72f0f390fe2e2adb2f4cb SHA-256: 2336e1bdc8b553b3dcb412e4d25165a419673158a722cec056a3cec714393875

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, with one identified as a suspicious script payload. The heuristics indicate the presence of obfuscated JavaScript and a potential payload, suggesting the document's primary purpose is to execute malicious code. The deobfuscated JavaScript is large and complex, making its exact function difficult to ascertain without further dynamic analysis, but it is highly likely to be a downloader.

Heuristics 6

Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0004_000.js` `6a89cfc2ec972c27651c8b0a3858343f57b5cc367cde21c394b2f15a136666df`	pdf-javascript-stream	PDF /JS object 4 at offset 0x134	27744 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`embedded_pdf_script_00006a02.bin` `364e2892379118a99e1b486dae03c70af2a8e3707cac2db6415817bd9cea5af1`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x6A02	77929 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
`deobfuscated.js` `6b08c53a863f39fbbc9dd7163d003d95f0df8721bf3a13072d099155312038e9`	deobfuscated-js	PDF JavaScript deobfuscation pass	107808 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.